General
-
Target
13052024_1238_10052024_PrintRequest Proof of transfer copy.Tar
-
Size
594KB
-
Sample
240513-pvjrsafe64
-
MD5
0544b862ca32f517ce0e1e96ce495c21
-
SHA1
4d05bf8004332e7d5a9ca70495c7b624d5405fc3
-
SHA256
48f15e2cbfe8eb5c96bc14092ce38a79b9c54d52c687cc8301b6b4787b944572
-
SHA512
dcc12549e647b6fdd3af9510b43bc5358b04634dce5f0c771c17032e44fb92af40ea882145a4adb8fb65743415a4cd48eb889dde3c079f8d843370062fc8794e
-
SSDEEP
12288:1PpQT0quKcRa3v2hn0AXMxnUKtxNvtDbjcbr1tYYqHaQS7lF7i:pp7ybe10A8t9RbQbr12u/7i
Static task
static1
Behavioral task
behavioral1
Sample
PrintRequest Proof of transfer copy.cmd
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
PrintRequest Proof of transfer copy.cmd
Resource
win10v2004-20240508-en
Malware Config
Extracted
remcos
NEWRemoteHost-APRILFILE
www.pentegrasystem.com:9231
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-3A6IQD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
PrintRequest Proof of transfer copy.cmd
-
Size
2.7MB
-
MD5
1dca64bb59f0121045c5ef14703bc2ed
-
SHA1
6baf7ebace885ec0c7db99904e9b65f28994d6be
-
SHA256
4e7476e32e43cd2e46e1640fcac68de3afbd044b08f76661378d0f4bea0f39c9
-
SHA512
8e4673bd28b3484e55e46b0592bebf6c9d0a397defe3ba4c836b2bd04e680398df2b45c8fb771492279270e4d35fa1a3c9df2eb62c4fda6de89577c32c9a1d1a
-
SSDEEP
24576:srxwK+DtoQXo3twW5xYRLgd9b+n7ARtI7zv2ziFjbdVuxBJGhRCpC:srxwK+DtpPW56s9b+n7ARi7zv2wyC
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-